Ransomware groups have been on the rise, exploiting both known and zero-day vulnerabilities to gain initial access to victim organizations over the past year. This trend was highlighted in recent research conducted by Cisco Talos, shedding light on the strategies employed by 14 prominent ransomware groups between 2023 and 2024.
In a detailed blog post by James Nutland, a threat intelligence analyst at Cisco Talos, it was revealed that LockBit emerged as the most active group during the specified period, despite facing multiple law enforcement crackdowns. The research also indicated a preference among ransomware actors for exploiting vulnerabilities as a means to infiltrate victim environments.
Common attack chains and examples of exploited vulnerabilities were outlined by Nutland, including the exploitation of vulnerabilities such as ZeroLogon and an old Fortinet FortiOS SSL VPN vulnerability. The blog post noted that these tactics coincide with significant attacks, such as the recent incident involving CDK Global.
According to Nutland, the research conducted by Talos during the blog’s timeframe revealed a surge in ransomware attacks targeting the United States, particularly in the manufacturing sector. These attacks resulted in substantial financial losses and operational disruptions for the victim organizations.
The blog emphasized the strategy of ransomware actors in gaining initial access through the exploitation of three key vulnerabilities. The first vulnerability highlighted was an elevation of privilege flaw in Microsoft’s Netlogon Remote Protocol, known as Zerologon, which could allow attackers to bypass authentication requirements.
Additionally, a path traversal flaw in Fortinet’s FortiOS SSL VPN and a critical flaw in Fortra’s GoAnywhere managed file transfer software were identified as exploited vulnerabilities by ransomware groups. These vulnerabilities enabled attackers to move laterally through networks, ultimately leading to ransomware deployment and data exfiltration.
The blog also pointed out the growing trend of ransomware actors exploiting vulnerabilities in publicly facing applications to gain initial access, a practice not exclusive to ransomware groups. A government advisory further warned about the Chinese-state sponsored threat group APT40 prioritizing vulnerability exploitation as an initial access vector.
In a section dedicated to data theft-only attacks, Nutland discussed the notable activities of ransomware groups such as Alphv, Rhysdia, and Clop. While traditional ransomware attacks are still prevalent, Clop stood out for embracing data theft-only attacks and leveraging zero-day vulnerabilities in their campaigns.
Moreover, Cisco Talos observed effective evasion techniques employed by ransomware actors to prolong their presence in victim networks, including the disabling of security tools and modification of system registries. Nutland stressed the importance of organizations implementing proper security controls, regular patch management, MFA, network segmentation, and the principle of least privilege to mitigate such threats.
Overall, the research by Cisco Talos highlights the evolving tactics and strategies of ransomware groups, underscoring the critical need for organizations to proactively address vulnerabilities and enhance their cybersecurity posture to defend against such malicious activities.